diff options
| author | Dan Nicholson <dbn@endlessos.org> | 2022-01-12 17:10:56 -0700 |
|---|---|---|
| committer | Dan Nicholson <dbn@endlessos.org> | 2022-01-12 21:59:23 -0700 |
| commit | de1870df8cf6345be5f497d6a5129d5abc7398e5 (patch) | |
| tree | b630e3cc9d0da96d8f39a12377880d30c982980e /.github/workflows/tests.yml | |
| parent | 1af0150750fbedc780e8348c5927843824c65be0 (diff) | |
| download | ostree-de1870df8cf6345be5f497d6a5129d5abc7398e5.tar.gz | |
github: Workaround glib/seccomp issue on Ubuntu impish
The ubuntu-latest VMs are currently based on 20.04 (focal). In focal,
libseccomp2 doesn't know about the close_range syscall[1], but
g_spawn_sync in impish tries to use close_range since it's defined in
glibc. That causes libseccomp2 to return EPERM as it does for any
unknown syscalls. g_spawn_sync carries on silently instead of falling
back to other means of setting CLOEXEC on open FDs. Eventually it causes
some tests to hang since once side of a pipe is never closed. Remove
this when libseccomp2 in focal is updated or glib in impish handles the
EPERM better.
1. https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436
Fixes: #2495
Diffstat (limited to '.github/workflows/tests.yml')
| -rw-r--r-- | .github/workflows/tests.yml | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 5fd14bde..76b3967b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,6 +22,8 @@ jobs: # # image: The Docker image to use. # + # container-options: Additional Docker command line options. + # # pre-checkout-setup: Commands to run before the git repo checkout. # If git is not in the Docker image, it must be installed here. # Otherwise, the checkout action uses the GitHub REST API, which @@ -100,6 +102,21 @@ jobs: - name: Ubuntu Latest Release image: ubuntu:rolling + # FIXME: The ubuntu-latest VMs are currently based on 20.04 + # (focal). In focal, libseccomp2 doesn't know about the + # close_range syscall, but g_spawn_sync in impish tries to + # use close_range since it's defined in glibc. That causes + # libseccomp2 to return EPERM as it does for any unknown + # syscalls. g_spawn_sync carries on silently instead of + # falling back to other means of setting CLOEXEC on open + # FDs. Eventually it causes some tests to hang since once + # side of a pipe is never closed. Remove this when + # libseccomp2 in focal is updated or glib in impish handles + # the EPERM better. + # + # https://github.com/ostreedev/ostree/issues/2495 + # https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436 + container-options: --security-opt seccomp=unconfined pre-checkout-setup: | apt-get update apt-get install -y git @@ -108,6 +125,9 @@ jobs: runs-on: ubuntu-latest container: image: ${{ matrix.image }} + # An empty string isn't valid, so a dummy --label option is always + # added. + options: --label ostree ${{ matrix.container-options }} steps: - name: Pre-checkout setup |